Access control mechanism for web2

Description

Merge web2-access forward, rename to have this ticket in the name.

(04:29:05) exarkun: Tv: Hello
(04:29:17) exarkun: Tv: What are you thoughts regarding /branches/tv/web2-access?
(10:29:06) Tv: exarkun: i think nobody ever reviewed web2-access
(10:29:28) Tv: exarkun: i still think it's a nice feature
(10:48:39) exarkun: Tv: The implementation seems contrary to the typical manner of authentication and authorization in Twisted.
(11:30:25) Tv: exarkun: feel free to comment further on *how* you would like it to look
(11:47:10) exarkun: Tv: cred wooo
(11:47:47) Tv: exarkun: yes, well, see how well the original web cred integration worked
(11:48:01) exarkun: Tv: fucking _fabulously_ what are you talking about?
(11:48:23) Tv: exarkun: about the fact that most people can't use it
(11:48:31) _keturn: are you talking about some ticket I should be paying attention to?
(11:48:32) exarkun: Tv: everyone can and must use it
(11:48:50) exarkun: _keturn: we're not even talking about a ticket. :)
(11:48:52) Tv: exarkun: nice disconnection, let me know when you want to come back to reality ;)
(11:48:58) radix: Tv: Why can't they use it?
(11:49:11) Tv: besides, cred does mostly user auth
(11:49:18) Tv: there's plenty of other ACL stuff
(11:49:24) Tv: on the phone
(11:49:36) exarkun: Tv: don't forget that "auth" is short for two things :)
(11:49:38) radix: Yes, ACL is out of the scope of cred. That is authorization.
(11:49:44) exarkun: Tv: an ACL is just one kind of authorization.
(11:49:50) Tv: radix: web2-access is meant to be ACL
(11:49:50) exarkun: radix: and cred does authorization
(11:49:54) exarkun: in addition to access to control
(11:49:57) exarkun: erasdlkj
(11:49:57) radix: well, ok
(11:50:00) exarkun: in addition to authentication
(11:50:03) radix: it gives you the first step to authorization :)
(11:50:16) exarkun: ACLs can be implemented with an avatar that has ACL logic in it
(11:51:06) radix: Tv: anyway, you didn't explain why people can't use cred
(11:51:18) radix: Tv: I will patiently await the end of your phone call.
(13:14:14) Tv: exarkun: so
(13:14:33) Tv: exarkun: one of the things i like about web2-access is that you can plug in ACL enforcers at any point in the resource tree
(13:15:20) Tv: exarkun: what i tend to do is have a full self-contained "app" that i just plug in to the resource tree, and the app takes care of its own ACL enforcement
(13:15:43) Tv: exarkun: and if you want global sysadmin-configured ACL enforcing, you can just use the same mechanism at the top level
(13:17:11) foom: OMG this is another conversation I've had like 50000 times, isn't it?
(13:17:15) foom: I think it's even on a ticket now
(13:17:56) Tv: probably yes
(13:18:58) foom: http://twistedmatrix.com/trac/ticket/2042
(13:23:21) Tv: most of that ticket seems to be mostly concerned about authenticating users
(13:23:39) Tv: and authorizing based on username
(13:23:46) Tv: web2-access also does source-IP etc
(13:30:27) Tv: the biggest connection between the web2-access branch and #2042, that i can see, is that web2-access would read that mythical userid string
(13:30:31) Tv: and allow comparing it
(13:30:45) Tv: but that's just one of the tests in web2-access
(13:31:45) foom: well, the whole philosophical argument you were starting to espouse is exact same thing, I think, as was being argued there.
(13:32:09) Tv: is anyone actually saying t
(13:32:11) Tv: err
(13:32:32) Tv: okay
(13:32:33) Tv: honestly
(13:32:46) Tv: as far as i care, glyph is an abstraction astronaut
(13:33:32) foom: btw, how does your thing compare with dav-acl-1608-4
(13:33:32) Tv: what i really want is a simple way to have a subtree of objects where one lower level subtree is only accessible to localhost
(13:36:11) foom: Tv: From the face of it, they're both doing quite similar things
(13:36:19) Tv: foom: perhaps
(13:36:30) Tv: i'm trying to figure out what's non-dav in 1608
(13:39:31) Tv: well on the simplest level, #1608 gives you nothing unless you drink DAV koolaid
(13:39:42) foom: only because it was implemented only for DAV resources
(13:39:56) foom: (I think)
(13:39:59) Tv: trying to find the generic bits from inside of it
(13:40:18) foom: dreid could probably do a better job of helping
(13:41:01) Tv: + return davxml.ACL(*[
(13:41:01) Tv: + davxml.ACE(
(13:41:01) Tv: + davxml.Grant(davxml.Privilege(privilege)),
(13:41:01) Tv: + davxml.Principal(davxml.All())
(13:41:01) Tv: + )
(13:41:01) Tv: + for privilege in privileges
(13:41:01) Tv: + ])
(13:41:34) dreid: nothing is non-dav in 1608
(13:41:45) dreid: it is an implementation of the WebDAV ACL protocol.
(13:41:54) dreid: It is more or less entirely dav specific.
(13:42:03) Tv: yeah, that's what it seemed like
(13:42:13) Tv: web2-access is more like
(13:42:14) Tv: # /friends subtree is shown to these hosts
(13:42:14) Tv: And( Segments('friends'),
(13:42:14) Tv: Or( Network('10.0.1.0/255.255.255.0'),
(13:42:14) Tv: Network('10.0.2.0/255.255.255.0'),
(13:42:14) Tv: ),
(13:42:14) Tv: ),
(13:42:24) Tv: talking about url segments, ip addresses, etc
(13:42:29) dreid: And figuring it out how to make it not dav specific is not my idea of a good time.
(13:42:30) exarkun: Tv: you can put multiple resource guards into a single url hierarchy
(13:42:40) dreid: also that thing exarkun said.
(13:42:41) foom: dreid: oh okay, I thought it had some stuff that might be more generic
(13:42:48) dreid: foom: generic is hard.
(13:42:49) Tv: exarkun: i want one login only, though
(13:42:50) exarkun: dreid: any progress being made on moving that branch somewhere?
(13:42:57) foom: exarkun: moving?
(13:42:59) exarkun: Tv: and that works too
(13:43:04) foom: exarkun: you mean merging?
(13:43:13) Tv: exarkun: good
(13:43:15) exarkun: causing any changes in it at all :)
(13:43:17) radix: foom: *that* question was asked a long time ago
(13:43:25) dreid: exarkun: No, we'll figure it out after the auth stuff settles down and we ship leopard.
(13:43:26) Tv: exarkun: now, do you think i should use guard for IP-based limits?
(13:43:36) exarkun: Tv: yes
(13:43:57) Tv: exarkun: maybe web2 has something called "guard" that is very different from nevow's guard..
(13:44:09) dreid: Tv: I've avoided calling it guard.
(13:44:35) Tv: exarkun: but web2-access's AccessControl tries to be such a thing you can put at any place in the tree
(13:44:35) exarkun: Tv: the shortcoming of nevow's guard is that it doesn't make credential type easily configurable
(13:44:46) exarkun: Tv: it has a hardcoded list of about three things it supports
(13:44:57) foom: web2-access's AccessControl is basically a guard, isn't it?
(13:45:12) Tv: foom: depending on what you mean by "guard", but I guess yes
(13:45:28) Tv: foom: it guards the resources underneath it in the tree
(13:45:43) exarkun: foom: the biggest difference, I think, is that with AccessControl you call a function and it returns a deferred which tells you if access is allowed or not
(13:45:44) Tv: according to a pluggable set of rules
(13:45:49) exarkun: foom: and then you do something based on that result
(13:46:02) foom: exarkun: so it's half of guard.
(13:46:14) exarkun: I suppose
(13:46:19) Tv: yeah, that's the IRule bit
(13:46:29) Tv: and AccessControl lets you combine those with And, Or, Not etc
(13:46:32) idnar: can I change the usage output from t.p.u.O to show the names of "positional" args?
(13:46:39) dreid: the stuff in #1608 works similarly, and there has been quite a bit of discussion about wether or not that is completely wrong.
(13:46:49) dreid: and by discussion I mean exarkun and glyph yelling at me. :)
(13:47:01) foom: glyph and exarkun like to yell at people about guard stuff
(13:47:35) exarkun: I don't like yelling at people at all
(13:47:48) itamar: I would argue that IP-based access control is orthogonal
(13:47:49) exarkun: I would like it if all of you jerks would stop making me do it
(13:47:50) exarkun: ;)
(13:47:50) Tv: exarkun: yes your style is more *passive* aggressive
itamar itamarst
(13:47:58) exarkun: itamarst: SHUT UP YOU DON'T KNOW ANYTHING YOU ASS GO AWAY
(13:48:04) itamar: for a *specific* resource
itamar itamarst
(13:48:09) itamar: not with a subtree language
(13:48:18) exarkun: itamarst: RAAAAAAAAAAAAAAAAAAAAAAAGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(13:48:31) itamar: because otherwise how would you hook it up to cred!@
itamar itamarst
(13:48:34) ***idnar gets popcorn
(13:48:49) Tv: itamar: the point of web2-access is that you can say things like "https OR localhost"
(13:49:14) itamar: that's probably something you want per-avatar
(13:49:14) itamar: but
(13:49:27) itamar: the basic implementation would have to be for resources
(13:49:32) itamar: since avatars are resources in web
(13:49:58) foom: don't start with that one again. :P
(13:50:10) itamar: ok whatver
(13:50:20) itamar: I'll go back to reading
(13:50:22) foom: there has to be a lower level function which does the access control decision. web2-access might be a good implemtation of that, and should be reviewed on that basis, at least.
(13:50:48) foom: how that is hooked up to other stuff is a point of argument, but however that happens, the lower level function is the same
(13:51:44) foom: That's how I'd like to see this branch move forward.
(13:52:11) exarkun: Okay!
(13:52:21) exarkun: It sounds like we aren't just going to delete it right now, then.
(13:52:31) Tv: foom: yay!
(13:52:34) exarkun: So how about someone files a ticket saying the thing foom just said
(13:52:42) Tv: foom: that works for me 100%
(13:52:48) exarkun: And then does the appropriate svn dance to make the branch line up with it
(13:53:22) exarkun: Anyone want to volunteer to do that?
(13:53:35) Tv: i still claim lack of understanding of goal
(13:53:43) foom: Tv: merge branch forward with a ticket number in it
(13:53:50) exarkun: The goal is to get rid of the "/branches/tv" directory in svn. ;)
(13:54:04) foom: Tv: then put it up for review and see if we can get it merged.
(13:54:20) Tv: ok
(13:54:39) foom: assuming it's ready for review, I don't know if you had it at that point or not?
(13:54:48) exarkun: And once all of the user branches directories are gone, I think we might generalize that goal a little bit to resolving tickets with existing branches associated with them.
(13:55:07) exarkun: And once we make some progress on that, we might try to tackle the repo reorg
(13:55:46) dreid: omg
(13:55:54) exarkun: Tv: So you will make the ticket and merge the branch forward?
(13:56:14) Tv: yeah